NOW READ THIS
("Security Advisory")

Go Back

---

Submitted by: Bill Hickey
NCVA List Master

NRT-0134 Storm Trojan Spammers Used Phased Attack:

Researchers from the email security firm Postini have concluded that the group behind last week's massive Storm Trojan spam blast set up Windows users by switching tactics in mid-run, making the second stage's subject headings more believable. "There was a very distinct transition point" between the two stages, said a Postinin expert. "It was a concerted effort to trick users." The huge wave of worm-infected spam emails sent out starting early on 12APR had receded by early morning on Friday 13APR. "We're still crunching the numbers, but it looks like three times that of the largest in the last 12 months, around 60 million (messages) total."

Although most of the attention was paid to the attack's second phase - when spammed messages arrived with subject headings such as "Worm Alert!" and "Virus Activity Detected!" - the assault began with less alarming mail with subjects including romantic phrases.

Postini considers the two-part attack a "self-fulfilling prophecy" because of the attacker's skill at setting up recipients for the second stage, which played off fears of an actual infection to dupe users into running the attached executable file. When the malware executes, it installs a rootkit to cloak itself, disables security software, steals confidential information from the PC, and adds the infected machine to a botnet of compromised computers. Storm Trojan can also self-propagate by searching for email addresses stored on the PC and sending copies of itself to those addresses.

(www.computerworld.com 16APR07)

Last Modified: Friday, 20-Apr-2007 20:09:05 EDT